Analysis
-
max time kernel
128s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe
Resource
win10v2004-20240704-en
General
-
Target
8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe
-
Size
225KB
-
MD5
15346c0ed3c1b9044f2a7a9e8a104891
-
SHA1
d3032f7edf80c738df0b398f85cd013e1b7f18d0
-
SHA256
8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5
-
SHA512
d46959b818bef0bf4e0971f645355e880ad7f54b7b0fe2e07ba0901a6a83e30aa13c8bf8f91145bc5b3ee90f65963810620af074b59fe1a068b7502fcf565699
-
SSDEEP
6144:zA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:zATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2100 2276 WerFault.exe winver.exe 3488 1844 WerFault.exe 8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3384 Explorer.EXE Token: SeCreatePagefilePrivilege 3384 Explorer.EXE Token: SeShutdownPrivilege 3384 Explorer.EXE Token: SeCreatePagefilePrivilege 3384 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exe8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exepid process 2276 winver.exe 1844 8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3384 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exewinver.exedescription pid process target process PID 1844 wrote to memory of 2276 1844 8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe winver.exe PID 1844 wrote to memory of 2276 1844 8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe winver.exe PID 1844 wrote to memory of 2276 1844 8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe winver.exe PID 1844 wrote to memory of 2276 1844 8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe winver.exe PID 2276 wrote to memory of 3384 2276 winver.exe Explorer.EXE PID 1844 wrote to memory of 3384 1844 8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe"C:\Users\Admin\AppData\Local\Temp\8d8a373d5df45d92ed5a8d259b0a9c3617ee62ef0f5bd7e2d2931113617978b5.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 3004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 7723⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2276 -ip 22761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1844 -ip 18441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1844-1-0x00000000045C0000-0x0000000004C18000-memory.dmpFilesize
6.3MB
-
memory/1844-2-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/1844-6-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1844-12-0x00000000045C0000-0x0000000004C18000-memory.dmpFilesize
6.3MB
-
memory/3384-4-0x0000000001010000-0x0000000001016000-memory.dmpFilesize
24KB
-
memory/3384-5-0x0000000001010000-0x0000000001016000-memory.dmpFilesize
24KB
-
memory/3384-9-0x00000000029C0000-0x00000000029C6000-memory.dmpFilesize
24KB